How mom-and-pop websites are fueling ever more potent denial-of-service attacks.

Over the past two weeks, a new wave of Web attacks has battered major US banks, causing disruptions for many of their online services. Now, an Israel-based security firm has uncovered one of the secret footsoldiers behind the mass assault: a compromised website that was rigged to unleash a torrent of junk traffic on three of the world's biggest financial institutions.

The discovery by Web application security firm Incapsula helps explain the strategy behind the four-month-old campaign, which has been carried out under the flag of a group calling itself Izz ad-Din al-Qassam—rather than compromise and recruit thousands or tens of thousands of end-user PCs to carry out the distributed denial-of-service attacks, why not target a handful of Web servers that have orders of magnitude more bandwidth and processing power?

Over the weekend, Incapsula researchers noticed a general-interest website located in the UK that was exhibiting suspicious behavior. They quickly discovered a backdoor that had been planted on it that was programmed to receive instructions from remote attackers. An analysis showed the website, which had just recently contracted with Incapsula, was being directed to send a flood of HTTP and UDP packets to major banks including PNC Financial Services, HSBC, and Fifth Third Bank.

"Since the commands were blocked by our service the attack was mitigated even before it started, so we can't be absolutely sure about the scope of damage this attack would cause," Incapsula Security Analyst Ronen Atias wrote in a blog post published Tuesday. "Still, it is safe to assume that it would be enough to seriously harm an average medium-sized website."

The blog post came the same day that purported Izz ad-Din al-Qassam members posted a new message that warned the attacks would continue until the removal of a YouTube video the group says is offensive to Muslims. In recent days, banks including BB&T, Fifth Third Bank, Ally Financial Corp., and PNC have all reportedly confirmed site on online banking access issues. The unidentified site discovered by Incapsula was most likely compromised as a result of weak security. The administration password was simply "admin."

The backdoor was programmed to accept attack code remotely sent by the attackers. The PHP scripts contained detailed instructions, which among other things included precisely timed directions intended to order attacks to be stopped and then renewed just as the target website was starting to recover. The scripts were programmed to open a new instance of themselves each time they were executed, causing the torrents to grow exponentially larger over time. Because the compromised Web server was located in a shared hosting environment, there was enough bandwidth and processing power available to accommodate the ever-growing demands.

Incapsula's blog post may help to explain observations aired three months ago that crippling attacks on the websites of Bank of America, Wells Fargo and at least three other large banks were executed by hundreds of compromised servers. The extra horse power of the machines created peak floods exceeding 60 gigabits per second, a volume big enough to knock even large sites offline unless they take special action to block the attacks.

Ronen told Ars the attack code he observed was separate from a relatively new attack tool known as "itsoknoproblembro," which was deployed on many of the compromised servers discovered three months ago. Still, the ability of the new code to work in shifts and to gradually multiply itself appeared to make the recently discovered attack highly effective. Adding to the success, attackers need little more than a laptop and a decent command of PHP and hacking techniques to ply their trade. The considerable amount of electricity, bandwidth, and equipment required were all supplied by unwitting accomplices.

Indeed, the command and control server used to funnel commands to the compromised Web server was itself a Turkish website, which Incapsula's Atias also believes was compromised.

"This is just another demonstration of how security in the internet is always determined by the weakest link," he wrote. "Simply neglecting to manage [an] administrative password in a small site in the UK can be very quickly exploited by botnet shepherds operating obscurely out of Turkey to hurl large amounts of traffic at American banks. This is a good example of how we are all just a part of a shared ecosystem where website security should be a shared goal and a shared responsibility."

If you criticize them for this action, let me remind you that US and Israel is actively hacking Iran's sovereign effort in nuclear technology.

US banking allows the civilized world to continue functioning (even outside of the US). Iran's nuclear energy efforts do not, and in fact potentially threaten the civilized world, depending who you talk to. There's really no comparison to make here.

If that doesn't raise the possibility of a false flag "attack"...nothing can.

I would have been happier if someone without a vested interest in promoting the idea of an Islamic threat had "discovered" this DDoS 'attack'.

Israel is famous for its false flag endeavours....to the point where they are no longer credible to anyone but the credulous and gullible.

"Wolf! Wolf!" ......yeah...right.

The Israelis are bleeding edge in this field. There are also some great people on both sides of the malware fence in the soviet bloc. Also as Islamists have been taking credit for these attacks it is a pretty lousy false flag. "well after a lot of research we are willing to accuse the guy with the smoking gun who has been screaming 'I DID IT! I DID IT! I DID IT!'"

I suspect that the bots are rentals but have it on authority that they are not. Looking at the mechanics of that attacks they stink of rental.

I don't understand; how is flooding HTTP traffic to port 53 on one of PNC's DNS servers an effective DDOS? Would BIND just discard those packets?

I'm not an expert, but I play one at work.

Its rather strange that Incapsula never discover DDOS attacks that are active now for at least 2 years from Israeli Internet service providers. A Google search will easily confirm how many thousands and thousands websites are constantly hit from the blocks 192.114.64.0 - 192.114.79.255

So yes, the information from them is completely unreliable as they just expose what they want or need in order to market themselves.

I also have found that Incapsula tends to do this "discoveries" as media advertising. They always tend to discover things other don´t and they heavily advertise their solution that stops this attacks. Lately Incapsula is constantly on the press about similar idiotic discoveries that makes me wonder what kind of security company is run by 15 year kids if this are their discoveries. Most of this always sound like an marketing press release.

Real security companies tend to do real discoveries and give out a great deal of information on the attacks, sources, analysis and how it works.

PHP dos attacks are far from new, they exists for a decade now, but they just found this now? Wow, what an amazing security firm. We all know they just want media exposure because this is far from new.

Strange that Cloudflare which is way bigger and has way more data than them did not even mentioned this and Incapsula discovered this from 1 single client? How is this even news?

If you criticize them for this action, let me remind you that US and Israel is actively hacking Iran's sovereign effort in nuclear technology.

That doesn't really work. Not because you can't compare the two (of course you can, though you may conclude that they are different - which you can only do after making such a comparison so all you "you can't compare that"-people actually did compare them), but because there are actually sides, which people take. It makes total sense to criticize your opponent and at the same time not criticize your own side for a comparable action. That's basically the whole idea of taking sides - attacking your opponent is a Good Thing, but being attacked by them is a Bad Thing. (that doesn't mean that you can't criticize your own side, of course)

Even if those packets are discarded (which may not be the case) it still consumes resources on the machine running BIND in order to discard those packets. Enough such packets results in a DDOS aka Distributed Denial Of Service attack.

"This company is doing something that offends us, so until they stop doing it we're going to attack these other random companies".

Okay, that makes sense. Not.

Early 90s reference aside, ^ this. At least Anonymous goes after the people that actually piss them off.

If this were true, and I've got my doubts, wouldn't it make more sense to go after, I dunno, Israeli sites? Or is this supposed to be another "down with the imperialist kaffir!" and the natural target would be our kaffir banks?

This article (and your reply) both raise a point though. A lot of people still don't know any better and will never change their router password.

Mostly because they won't know they need to, won't know that the password is even there or (which is more likely) they'll never need to go into the routers settings so it won't even occur to them

Why then do companies who make these routers, still insist on default passwords? At the very least, randomise it and put it on a sticker along with the WiFi password. Granted that's not exactly secure, but at least the person would need physical access to the router

Virgin Media at least sort of solve the problem by having the default set to changeme, and it insists you change the password before getting into the router

Admin should never, be used - EVER

Golgatha wrote:

Admin? That's the same password on my router too! You mean that's not secure?

"The unidentified site discovered by Incapsula was most likely compromised as a result of weak security. The administration password was simply "admin.""

That's because many mom&pop shops out there run stuff like Wordpress, loaded to the brim with plugins and other crap that's not necessary (because they sound good, rather than useful). They in turn get exploited and have code dropped on them that lets someone use an unauthenticated remote shell or more. And the website owners typically don't know about it, and even if they did, probably wouldn't care as long as the website itself continued to work.

This problem will keep happening until turnkey solutions like these start taking security seriously and require some technical modicum to operate. When you make advanced technology available to the masses, and remove the technical barrier, you have, effectively, a bunch of idiots using something that's way beyond their grasp, using it improperly and furthering the problem that the technically-minded have to deal with.

"The unidentified site discovered by Incapsula was most likely compromised as a result of weak security. The administration password was simply "admin.""

That's because many mom&pop shops out there run stuff like Wordpress, loaded to the brim with plugins and other crap that's not necessary (because they sound good, rather than useful). They in turn get exploited and have code dropped on them that lets someone use an unauthenticated remote shell or more. And the website owners typically don't know about it, and even if they did, probably wouldn't care as long as the website itself continued to work.

This problem will keep happening until turnkey solutions like these start taking security seriously and require some technical modicum to operate. When you make advanced technology available to the masses, and remove the technical barrier, you have, effectively, a bunch of idiots using something that's way beyond their grasp, using it improperly and furthering the problem that the technically-minded have to deal with.

Rant over.

I lean the other direction: it's still far too complicated to adequately secure many popular applications, and some, like Joomla, can't really be secured even if the administrator does everything right.

Web hosting right now is in a kind of free-for-all phase, in which anything uploadble via FTP is assumed safe and tends to be executable. There really is no consistent way to verify a site application's integrity, to quickly detect and isolate breaches, or to reliably recover. Even with myriad tools for such purposes, It's all manual labor, break/fix at this point. And it's hard to see a way out of it.

so..it hurls large amount of traffic at bank websites and the site goes offline for a few minutes...and then?

Starts up again, it's meant to keep the site from dying completely, so that users and the bank can have the worse experience, after all what's worse? A site that's completely offline, or one you merely have a lot of trouble accessing?